Schema in a request allows additional properties
Issue ID: schema-request-object-additionalproperties-true
Average severity: Medium
Description
The schema you have defined allows additional properties, either intentionally or unintentionally.
In JSON, by default, any object can also accept additional properties. OpenAPI Specification (OAS) v2 does not define this behavior, and the current tooling (such as parsers and codegen) does not support it. Instead, they only accept the value object
for this property. Thus, it is not recommended to use Boolean values.
However, OAS v2 does support using additionalProperties
to specify a schema to which the additional properties must conform.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. In this case, the schema does not use any combining operations (so there is no need to allow additional properties) but additionalProperties
is set to true
:
{
"post": {
"operationId": "addPet",
"parameters": [
{
"name": "pet",
"in": "body",
"description": "Pet to add to the store",
"required": true,
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": true
}
}
]
}
}
Possible exploit scenario
If you do not clearly define the schema and you leave properties of a JSON payload empty, you effectively allow attackers to pass in any data. This means that you are opening your backend to various attacks, such as SQL injection.
This also lets attackers to try various unexpected inputs. Unexpected inputs may cause the backend server to crash or behave in an unexpected way. This in turn may cause the server to potentially leak stack trace that can be used for further attacks, or even data.
If no restrictions to the set of properties in the JSON payload are enforced, the API might also accept more fields than expected. The received payloads could be blindly transformed into an object and stored, overwriting sensitive internal data.
Remediation
The safest option is not to allow additional properties. If the schema does not use allOf
at all, make sure you define all properties of the accepted JSON payload in the schema itself.
Do not use combining operations (allOf
) for defining additional properties in API definitions following the OAS v2.
We recommend updating your API definition to follow the OAS v3, because it offers proper support for additionalProperties
as Boolean, in addition to other improvements.
If you cannot update your API to OAS v3, use additionalProperties
to provide the schema that you want to support:
{
"definitions": {
"Pet": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"petType": {
"type": "string"
}
},
"required": [
"name",
"petType"
],
"additionalProperties": "#/definitions/Cat"
},
"Cat": {
"properties": {
"furType": {
"type": "enum",
"enum": [
"short-haired",
"long-haired",
"curly",
"naked"
],
"default": "short-haired"
}
}
}
}
}